[Linux-disciples] Embarrassing

Adam Rosi-Kessel adam at rosi-kessel.org
Tue Mar 14 14:30:43 EST 2006 

At quick glance, it looks like this only affects the development version of
Ubuntu...? I don't think that's so embarrasssing.

Stephen R Laniel wrote:
> So ... this is embarrassing:
> http://www.ubuntu.com/usn/usn-262-1
> 
> I include the article below. It's via Slashdot, which
> perhaps explains it more succinctly:
> http://it.slashdot.org/it/06/03/13/0525254.shtml
> 
> This comes on the heels of another huge, embarrassing
> security hole that's been around for years:
> http://www.schneier.com/blog/archives/2006/03/huge_vulnerabil_1.html
> 
> =========================================================== 
> Ubuntu Security Notice USN-262-1             March 12, 2006
> Ubuntu 5.10 installer vulnerability
> CVE-2006-1183
> ===========================================================
> 
> A security issue affects the following Ubuntu releases:
> 
> Ubuntu 5.10 (Breezy Badger)
> 
> The following packages are affected:
> 
> base-config
> passwd
> 
> The problem can be corrected by upgrading the affected package to
> version 2.67ubuntu20 (base-config) and 1:4.0.3-37ubuntu8 (passwd).  In
> general, a standard system upgrade is sufficient to effect the
> necessary changes.
> 
> Details follow:
> 
> Karl Øie discovered that the Ubuntu 5.10 installer failed to clean
> passwords in the installer log files. Since these files were
> world-readable, any local user could see the password of the first
> user account, which has full sudo privileges by default.
> 
> The updated packages remove the passwords and additionally make the
> log files readable only by root.
> 
> This does not affect the Ubuntu 4.10, 5.04, or the upcoming 6.04
> installer.  However, if you upgraded from Ubuntu 5.10 to the current
> development version of Ubuntu 6.04 ('Dapper Drake'), please ensure
> that you upgrade the passwd package to version 1:4.0.13-7ubuntu2 to
> fix the installer log files.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Linux-disciples mailing list
> Linux-disciples at lists.bostoncoop.net
> http://lists.bostoncoop.net/mailman/listinfo/linux-disciples


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.bostoncoop.net/pipermail/linux-disciples/attachments/20060314/6e5e5605/signature.pgp

More information about the Linux-disciples mailing list